Method and apparatus to perform online credential reporting

ABSTRACT

Embodiments of the invention provide a process for displaying a graphical indicator on an Internet enabled device which conveys relationships between an entity associated with a website and third party entities with respect to the website entity. One example method may include obtaining the relationship data from a credential service provider, using a portion of a uniform resource identifier as a key to access the relationship data on the credential service provider, and rendering a representation of the relationship data, wherein the rendering of the relationship data is performed in a graphical user interface of a web browser, and wherein the web browser displays a rendering of the representation of the relationship data such that there is a relationship between an entity associated with the uniform resource identifier and a third party entity.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.12/691,901, filed Jan. 22, 2010, entitled METHOD AND APPARATUS TOPERFORM ONLINE CREDENTIAL REPORTING, issued as U.S. Pat. No. 9,449,195on Sep. 20, 2016, which claims the benefit of U.S. ProvisionalApplication Ser. No. 61/146,687, filed Jan. 23, 2009, entitled SOLUTIONTO THE ABUSE OF CREDENTIALS ON THE INTERNET, the entire contents of eachof these applications are incorporated by reference herein.

TECHNICAL FIELD OF THE INVENTION

This invention relates to reporting credentials of an entity on theInternet or other such network. More particularly, this inventionrelates to establishing relationship data and credential data.

BACKGROUND OF THE INVENTION

There are many forms of credentials. Many entities, such as companies,organizations, associations, or individuals, can claim to have certaincredentials without any recourse for someone to verify if theaforementioned credentials are legitimate. Credentialing programs,policies, or arrangements, often have a logo that is permitted for useby authorized entities according to predetermined rules and regulations.These logos are increasingly being abused by being placed on websites inan effort to falsely legitimize an entity that is not authorized to usethe logos.

An example of such misuse is the display of a Better Business Bureau(BBB) logo on a website when the website owner is not a member of the“BBB” nor is the website owner authorized to use or display the logo.Another example is a website claiming “ISO 9000” certification when theentity represented is not certified.

Credentials allow an entity to gain the trust of people or potentialcustomers that view their website. Generally, for an entity to gain aspecific type of credential, such as, a certification of expertise or aneducational degree, time and money is invested. When illegitimate use ofa credential happens, the value of the credential is then lessened aspublic perception of its meaning is diluted due to misuse.

Consider a case where someone has a website claiming that they are aregistered patent agent. If a potential customer of the patent agentdoes not check with the USPTO website to verify the claim, there is arisk of the person's idea being stolen by an unscrupulous imposterpatent agent that is not authorized by the appropriate entity. Thosebeing scammed in the example may then have a negative opinion of patentagents and in the future may refrain from seeking out the services ofpatent agents, therefore legitimate patent agents suffer by losingbusiness.

When encountering a claim by a website on the Internet, such as, beingan official reseller of merchandise from Apple® Computers, Inc., theonly way to know for sure that the website is a legitimate reseller isto go to the website of Apple Computer, Inc. and then try to find a listof authorized resellers, if such a list even exists. This is a complexand tedious process as not all websites readily make available lists ofentities that they've entered into a relationship with or bestowedcredentials upon for purposes specific to their business or industry.

Consider the case of someone claiming to be a patent attorney. Ifsomeone hires a patent attorney, they would generally need to checkmultiple sources to verify the claims of various credentials. The USTPOwould have to be queried to verify that the attorney is properlyregistered and authorized. Additionally, the appropriate state bar wouldhave to be queried to verify that the attorney is still in goodstanding. The problem with this scenario is that one can't necessarilyor easily verify that someone really is a lawyer at all, as not allstate bars provide mechanisms for researching members and verifyingtheir credentials, and not all persons are knowledgeable about suchverifications procedures.

Credentials exist in many forms and in many industries. Doctors havecredentials issued by medical establishments so that they may practicemedicine. Educational institutions have credentials issued bycommissions and various organizations in order to be officiallyrecognized. Corporations have credentials issued by governments so thatthey may conduct business according to specific laws.

The concept of authenticating identity (that you are who you say youare) in today's virtual Internet-based society is increasingly difficultto substantiate. For example, once an identity has been supposedlyauthenticated, the entity can then make any claim imaginable. Forexample, a government issued identification card doesn't establish thata person is really a doctor. Authenticated identity on the Internetsuffers the same limitations. A company with an Extended ValidationCertificate (EV) certificate may have a robust identity established, butthat identity can then make unsubstantiated claims, such as, beingmedically certified, which may end up being falsely seen as legitimatedue to the extended verification SSL certificate.

Current methods for protecting credentials include, among others, legalproceedings when fraud is identified. This is problematic when theinfringing entity is in another country. This is very costly and timeconsuming and only addresses problems or abuse of credentials that havebeen discovered. A current method for highlighting credentials bestowedon others is currently limited to the credential issuer makingcredential information available, or, by providing a link to thecredentialed entities to put on their websites so that someone may clickthe link to go to the credential issuer's website for verification. Suchembedded links or graphics can be easily spoofed with currenttechnologies, such as, but not limited to, modern implementations of theECMA-262 specification, commonly known as JavaScript. The currentmethods of protecting and promoting credentials on the Internet arecostly or impractical, especially for small businesses.

BRIEF SUMMARY OF THE INVENTION

Embodiments of the invention provide systems and methods for credentialinformation, in the form of third party established relationships, to bereported when accessing specific resources on a network by way of anetworked device. According to one embodiment, a method to displayrelationship data may include obtaining the relationship data from acredential service provider, using a portion of a uniform resourceidentifier as a key to access the relationship data on the credentialservice provider, and rendering a representation of the relationshipdata, such that the rendering of the relationship data is performed in agraphical user interface of a web browser, and the web browser displaysa rendering of the representation of the relationship data such thatthere is a relationship between an entity associated with the uniformresource identifier and a third party entity.

According to alternative embodiments, there are additional methodscomprising alleviation of network congestion through use of credentialinformation stored locally on an Internet enabled device

According to alternative embodiments, there are additional methodscomprising alleviation of network congestion through use of informationobtained from a CSP or through implementation specific protocols fornetwork access rules.

According to alternative embodiments, the invention can comprise anadditional method of using a uniqueness identifier for controllingnetwork congestion and altering the graphical indicator.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a partial view of a web browser, specifically the graphicaluser interface, according to example embodiments of the presentinvention.

FIG. 2 is a partial view of a web browser's content display area,according to example embodiments of the present invention.

FIG. 3A is a partial view of a web browser GUI, according to exampleembodiments of the present invention.

FIG. 3B is a detail view of FIG. 3A, according to example embodiments ofthe present invention.

FIG. 4 is a partial view of a web browser, according to exampleembodiments of the present invention.

FIG. 5 is a general process for the preferred embodiment for use withweb pages, according to example embodiments of the present invention.

FIG. 6 is a general process for data acquisition, according to exampleembodiments of the present invention.

FIG. 7 is a flowchart example method, according to example embodimentsof the present invention.

FIG. 8 is another flowchart method, according to example embodiments ofthe present invention.

FIG. 9 is a detail view of a Credential Service Provider (CSP) query,according to example embodiments of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

Embodiments of the invention provide systems and methods for credentialinformation, in the form of third party established relationships, to bereported when accessing specific resources on a network by way of anetworked device.

Specific items need to be defined in order to provide a completeunderstanding of the invention. An Internet enabled device orapplication may be any computer program executed on a computing deviceor any physical device capable of accessing either or both the Internetor any private network. Furthermore, an Internet enabled applicationcould be a web browser, a file transfer protocol (FTP) client, anInternet relay chat client, news group reader, gopher client, etc.

A person skilled in the art will appreciate that there are manydifferent types of programs capable of accessing the Internet. AnInternet enabled device can mean a cell phone, a video game device, a TVtuner box, a cable TV box, voice over Internet protocol (VOIP) devices,etc. A person skilled in the art will also appreciate that there aremany devices that are capable of Internet access. For clarity andbrevity, the term “web browser” should be any Internet enabled device orapplication capable of using a uniform resource identifier (URI) toaccess resources on the Internet or equivalent network.

A web browser, even when conceptualized as software or a computerprogram, still requires a computer to function, and is limited by thenecessity of a physical device, generally a general purpose processorwhich executes instructions residing on physical media such that whenthe instructions are executed cause the processor to perform thefunctions of a web browser. A computer program or application may be aset of instructions on physical media, such as, but not limited to, ahard disk drive, that are executed by either a general or specificpurpose processor to modify the state of the processor and optionallymodify the state of any networked or attached devices.

A web browser may be interpreted as a computer readable mediumcomprising instructions that, at the very least, when read by aprocessor, cause the processor to modify internal state such that datais obtained from a network via the use of a uniform resource identifier.

Internet access, in the sense of a device being Internet enabled orInternet capable, may be the public Internet and may instead be aprivate network utilizing the Internet protocol (IP). A person skilledin the art will also realize that the Internet protocol is versioned,and this invention readily applies to all versions, existing orotherwise. There are other large networks similar to the public Internetthat may use alternative protocols, but by their nature of being vastnetworks should be considered as equivalent structures orconglomerations of machines such that this invention could readily beutilized by web browsers or other software engines connected to suchnetworks.

A credential may be, but is not limited to, a certificate,accreditation, license, membership status, authorization, title, grant,permit, warrant, and sanction. A credential, among the aforementioned,also encompasses various decrees that establish a relationship orbestowment.

A relationship may be a transfer, issuance, or existence of credentialsbetween two entities, an issuer and a holder. A relationship existsbetween an issuer and holder in any of various forms, as defined by acredential. A relationship also encompasses an implied credential,either authorized or not authorized by any of either an issuer or aholder.

An issuer may be the entity that issues certifications, accreditations,licenses, warranties, or generally stated, credentials, which establisheither a relationship or a bestowment of some kind. A holder may be anentity that is the recipient of certifications, accreditations,licenses, warranties, or generally stated, credentials, which establisheither a relationship or a bestowment of some kind.

A credential service provider (CSP) is used interchangeably with theterm Internet authority service, abbreviated as (IAS). Both CSP and IASare functionally equivalent to one another. A CSP is an entity whichexists as a neutral third party for purposes of consolidation,reporting, and verification of established relationships between issuersand holders. A CSP is neutral in the sense that a relationship thatexists between an issuer and holder may be independent of the CSP.

In FIG. 1, a uniform resource identifier (URI) 60 is illustrated asbeing a part of the web browser GUI, according to example embodiments ofthe present invention. Some web browsers may not display the URI. Alsodisplayed is a favorites icon, favicon, or shortcut icon 50. Thiselement is particularly pointed out because the image displayed isdetermined by the document content, which is under the control of thesite owner or page author. The URI is defined in the published requestfor comments (RFC) with an identification number of (RFC 2396), and aswell as in updates to the standard in various other RFCs, such as, forexample (RFC 3986), both of which are hereby incorporated by referencein their entirety. The use of an URI may include all variations andrevisions of the definition of a URI, including future revisions, asdefined by various RFC documents, as functionally equivalent regardingusage in the process defined in this patent.

FIG. 2 illustrates a content window of a web browser, according toexample embodiments of the present invention. A content window is whereweb pages are generally displayed. A relationship statement 10 iscontained within the web page document. A logo 20 is contained ordefined within the web page document. The relationship statement 10 andlogo 20 are under the control of the site owner or page author, which issimilar to the favorites icon 50 in terms of origin portion of FIG. 1.

FIG. 3A illustrates a web browser GUI with a relationship indicator 30,according to example embodiments of the present invention. FIG. 3Billustrates a relationship indicator 30 without the web browser GUI. Arelationship indicator 30 need not necessarily be entirely graphical. Arelationship indicator can also be the playing of a sound to accommodatepersons with disabilities. A person trained in the art of user interfacedesign will appreciate that a relationship indicator 30 can also betextual in nature, and could easily appear as a menu item within a webbrowser GUI, among other forms.

The form or expression of a relationship indicator 30 may be dependenton web browser GUI constraints. For example, a web browser on a cellphone is constrained in the amount of available display space. Arelationship indicator 30 in such a scenario would be implemented to fitthe situation, such as a button on the device, and/or an alert, and/orthe requirement of user input to view the relationship information.

Illustrated in FIG. 4 is a combination view of various elements of a webbrowser along with a relationship indicator 30 within a web browser GUI,according to example embodiments of the present invention. An avowedlogo 40 is conveyed by the relationship indicator 30. A web browser withthe capability to display relationships may be, in the context offurther illustrations, a web browser 110. One example distinctionbetween an avowed logo 40 and a logo 20 is that the origin and controlof an avowed logo 40 is from a CSP, while the origin of a logo 20 isunder the control of the entity represented by the web page.

One skilled in the art can see that a web browser 110 can easily berepresented in various forms, either as a software application, whichmay include a computer readable medium including instructions that whenread by a processor, cause the processor to alter state, or within ahardware implementation, such as an application specific integratedcircuit (ASIC), or as other such embedded tangible devices. Arelationship indicator can readily be applied to various applications ordevices that access resources on a network, such as, but not limited to,FTP clients, NNTP clients, Email clients, cell phones, personal digitalassistants, TV signal receivers, and so forth.

FIG. 5 illustrates a web browser 110 interfacing with both a web server120 and a CSP 130, according to example embodiments of the presentinvention. The web server 120 and web browser 110 communicate with arequest 140 and a response 150. The web browser 110 and CSP 130communicate via a request 160 and response 170. One skilled in the artrecognizes that there are many variations in data transfer between a webbrowser 110 and a web server 120. Variations in protocols used inassociation with the web browser may include, but are not limited to,HTTP, HTTPS, POP, and/or SMTP.

FIG. 5 is an overall high level view of the isolation between the webserver 120 and CSP 130 when communicating with a web browser 110. Withinvarious connection protocols, connections to third party entities, asdetermined by necessity for encryption, is readily implied when speakingof a connection between a web browser 110 and web server 120. Forexample, there may be third party connections to certificate authoritiesin the context of a HTTPS connection to a web site. Such variation inconnection between a web browser 110 and web server 120 is considered toalso apply for the communication between a web browser 110 and a CSP130.

One example embodiment of the invention in the context of informationexchange between a CSP 130 and web browser 110, would be HTTP over SSLor TLS. In other words, a CSP request 160 and CSP response 170 may beencrypted. However, unencrypted communication is understood to beequivalent to encrypted communication with regard to communication witha CSP 130.

FIG. 6 illustrates the communication scheme for the CSP 130 to acquirerelationship information, according to example embodiments of thepresent invention. A holder 210 and an issuer 220 have a relationship230. Issuer 220 is the source of an issuer information exchange orissuer information 240 with the CSP 130. The CSP 130 may initiate arequest for the issuer information 240 and/or the issuer 220 may pushthe issuer information 240 without being prompted by the CSP 130. Theissuer information 240 may include relationship information, and can betransferred between parties involved by a telephone call, mail, or viaelectronic communication.

An example of the issuer information 240 may be represented by thefollowing example, if issued in a letter sent by mail: “Any URI matchingthe pattern defined by ‘http://*.gov/*’ where the asterisk is a wildcardmatch, will result in a credential issued by the United StatesGovernment. The logo to be used can be found at a specific governmentwebsite as well, such as, for example ‘http://*.gov/logo.png.’ Otherdetails, as necessary for the credential, may be provided.” Thesewebsite locations are generic examples and are not intended to representactual web location URIs.

Another example of issuer information would be an electronictransmission of information. Such an example in an XML format may looklike the following:

<credential lang=”en-US” charset=”UTF-8”><match><![CDATA[http://*.gov/*]]></match><exclude><![CDATA[http://*.gov.*/*]]></exclude> <issuer id=”123456” /><holder id=”789”></holder> <holder id=”KC5BGN”></holder> <holderid=”N5TVN”></holder><logo><![CDATA[http://www.acme.gov/logo.png]]></logo><details><![CDATA[This website is a U.S. governmentwebsite.]]></details> <type>5</type> <issuedate>July 4, 1776</issuedate><expire>Never</expire> </credential>.

One skilled in the art recognizes that a relationship 230 may be bothcomplex and multifaceted such that types and amounts of data will differdue to credentials, and also that issuer information 240 can betransferred between parties by various different communication schemes.Issuer information 240 is not specific to a single mode ofcommunication, as each issuer 220 may have different communicativecapabilities predetermined by how details of a relationship 230 arestored, as noted from FIG. 6.

FIG. 6 also illustrates holder information 250 and its connection to aCSP 130, according to example embodiments of the present invention.Typically, but not always, a holder will initiate information exchangeregarding a relationship 230. The holder information 250 is similar toissuer information 240 in regards to physical exchange of information inthe form of a phone call, mail, or electronically, etc. The similaritiesin content regarding holder information 250 and issuer information 240are easily recognizable from their duplicative nature. For example, whena relationship 230 is established, the issuer 220 may instruct theholder 210 to include specific details regarding holder information 250.This may enable a verification to occur at a CSP 130 along with issuerinformation 240. The issuer 220 may also have stipulations in theformation of the relationship 230 that precludes holder information 250,thus making it optional.

A CSP 130 typically stores the data of a relationship 230 as provided byan issuer 220 and holder 210 in a database on one or more computers. Oneskilled in the art should know what constitutes a database on one ormore computers. The device for storage of a database may consist of harddisk drives, solid state drives, optical disk drives, or random accessmemory, or functionally equivalent device for storage of digital data.

FIG. 6 also illustrates an optional operation, such as, obtainingidentifying information 260. This may comprise of ownership informationwith regard to a URI, and/or identity information through a mechanismthat validates identity established by another party. This identityinformation helps to maintain the relevant data obtained by a CSP in thescenario of a change in domain name ownership. For example, if acompany, Acme Brick Co., which controls the domain “acme.tld”, sells thedomain name to another company, Aerospace Cosmological Mechanics andEngineers Co., then the identification information associated with thedomain name would change, and any associated credentials for Acme BrickCo. would be invalid and expired.

Ownership information with regard to a URI may have a caliber of detailthat is different from ordinary domain name ownership. For example, awebsite with a multitude of different identities may have specificownership information and/or identity information associated with avariety and plurality of URI. For example, professionals.tld/archiewould be associated with someone named Archie, whileprofessionals.tld/veronica would be associated with someone namedVeronica. In this example, if Archie fails to pay ownership dues forbeing listed on the site, the URI may become available for someone elsewith the same name and different credentials. In this scenario,identifying information 260 is used to establish the validity orinvalidity of credentials associated with a URI due to a change in orstatus of the holder 210.

As noted above, the credential features may be entirely optional as theissuer 220 may have specific provisions used to monitor the status ofits own credential holders 210. For example, consider Bob, who owns“Bob's Hardware,” and has been issued a DBA (doing business as “DBA”) bythe local government to operate under the name of “Bob's Hardware” andhas credentials by the local government as to the status of the DBAassociated with a URI that Bob controls. Bob, in this example, is aholder 210, the local government is an issuer 220, and the relationship230 is the DBA. If Bob has an accident in his hardware store that killshim, then his DBA may no longer be valid. The local government, which isthe issuer 220, may get notified regarding Bob's death, and will thensend information 240 to the CSP 130 regarding the expiration of therelationship 230 because Bob no longer controls the URI associated withthe former relationship 230.

FIG. 7 illustrates a flowchart of process operations according toexample embodiments of the present invention. Referring to FIG. 7, a URI310 is accessed within the context of a web browser. The accessing ofthe URI 310 may occur when a person clicks on a hyperlink, manuallyenters a URI 60, or programmatically makes a modification, such as, viaa JavaScript, or some other automatic accessing operation. Upon accessof the URI 310, a CSP query 320 is performed. The CSP query 320 suppliesas input, at the least, to the URI or partial URI in operation 310, tothe CSP, such that the URI or partial URI is used as a key to obtainrelationship data 330. Other details, such as language, geographicaldetails, and other details, may also be provided. The connection to theCSP would typically be conducted via HTTPS, however, the protocol usedto communicate can easily be replaced with any other communicationprotocol capable of transmitting data. The connection to the CSP mayalso be encrypted.

A CSP query 320 may include varying amounts of data. At the very least,a URI or partial URI is transmitted to the CSP from the web browser.Typically this would be data in XML format, but other formats, humanreadable or otherwise, would satisfy this operation. An example of whatthe data may look like may be:

<query version=”1.0”><request>http://domain/path/file?key=value</request> </query>.

An alternative form of the query may include posting data to the CSPaccording to HTTP, or even obtaining data according to HTTP. An exampleof a get request may look like a query for example, consider the request“http://CSP/request.php?uri=domain/path/file”. Again, these linkexamples are generic and are intended to illustrate underlying dataformats and parameters and are not actual web link locations that areaccessible via the Internet. In this example, a specific CSP server iscontacted by using a uniquely crafted URI, and such that the domaininformation is embedded within. One skilled in the art will appreciatethe wide variety of communication mechanisms that exist and wouldsuffice as replacements to this example.

A CSP query, in a more complicated form, may look like the following inorder to specify the language of the data, and various other parametersto modify data:

<query version=”1.0”><request>http://domain/path/file?key=value</request><language>en-US</language> <details>true</details><not>1232,3353,1134,0887</not> <exclude>memberships</exclude><include>legal</include> </query>.

A response from the CSP will yield a relationship data 330, and may looklike the following, in an XML format:

<result> <csp>http://alternativeCSP</csp><csp>https://AnotherDifferentCSPThatMayContainOtherRelationships </csp><relationship identifier=’abc123’> <entity>Company</entity><detail>detailed information</detail> </relationship> <relationshiplang=’en-us’ identifier=’def456’ uniqueness=’*.gov/*’><entity>Company</entity> <detail>information</detail> </relationship></result>.

In FIG. 7, relationship data 330 can be either specific to a single URIor broad to apply to a set of URIs. For example, the credentialsbestowed upon different branches of government may all be the same ifthe issuer is the same for all credentials bestowed. To continue withthe example for the case of the United States, the set of domains“house.gov” and “senate.gov” may have identical credentials as providedby the United States Constitution. This example illustrates that any URIwith either of those domains would have a common credential, and suchexamples of URI with the common credential could behttp://www.house.gov/paul/ and http://hutchison.senate.gov/.Relationship data 330 is a document, typically electronic in form, alsoin either human readable or machine readable form, optionally encrypted,that contains identifiable information that indicates one or morerelationships between a holder and one or more issuers. Relationshipdata 330 may contain none, one, or more relationships.

In FIG. 7, the presence or absence of relationship data 330 determines achange in state of the user interface of a web browser to eitherindicate the presence, or lack of, the aforementioned relationship data330. If the URI has any relationships, then this configuration providesa platform for such information to be conveyed. In the case ofrelationship data 330 indicating relationships, then a modify GUI 340operation occurs. This operation can change the browser GUI from what isdisplayed in FIG. 1, to a form of that of FIG. 3A, which has arelationship indicator 30 displayed. If no relationship data 330 ispresent, then the web browser GUI is placed into a state such that therelationship indicator 30 from FIG. 3A is not present or indicates thatno such data or relationship exists.

Relationship data 330 is rendered by the web browser 110, or Internetenabled device, where the input used to render the data may come from animage, such as a logo, either embedded or referred to in therelationship data 330. A rendering of the relationship data 330 does nothave to be a visual rendering, but could also include a sound renderingin order to accommodate people with visual impairments. A rendering ofrelationship data 330 may be considered as a notification, where variousforms of notification may be used depending on the physical abilities ofthe person receiving the notification. In FIG. 4, the avowed logo 40 isan example representation of rendered relationship data 330 from FIG. 7.A rendering, in the form of an avowed logo 40, via relationship data330, is to be considered as a form of modifying of the GUI, at operation340.

Example embodiments of the invention provide that the relationshipindicator 30 from FIG. 4 is displayed within a web browser's GUI suchthat it is distinctly separate from URI document content. A distinctionis such that a logo 20, illustrated in FIG. 4, or a statement ofrelationship 10, also in FIG. 4, is controlled by a holder, where theavowed logo 40 in a relationship indicator 30 is controlled by anissuer. Relationship data 330, from FIG. 7, which is a digital form ofrelationships as described above, is manifested as an indicator,generally rendered in the form of a logo. Relationship data 330 may beused to indicate an established relationship between a holder and anissuer by way of a URI, or partial URI as input to a credential serviceprovider.

In FIG. 8, alternative embodiments are illustrated. The elements of acache engine 410, a uniqueness identifier engine 420, and a networkdispersion engine 430 are such that they are entirely optional withregard to the present invention, and do not require the presence of theother items in order to function properly. Functionality of one canaffect the others as described below.

In FIG. 8, a cache engine 410, is a mechanism of storing relationshipdata 330 locally within a web browser 110 from FIG. 5. The cache engine410 is entirely optional as not all web browsers are capable of storingdata locally. In an optimal implementation of the invention, a cacheengine 410 stores data in a local file such that records of data can beeasily retrieved. An example of such a storage mechanism would be a SQLcapable database stored on a local disk drive.

There are various ways of storing data on a device, in many differentphysical and logical schemes, such that functionality is equivalent sothat data can be stored and retrieved. When a URI is accessed 310, thecache engine 410 can be queried for relationship data 330. Ifrelationship data is not found in the local cache, then the operation ofneeding to query the CSP 440 is “yes”, and in turn the CSP is queried,at operation 320.

Example embodiments of the present invention do not require that a needto query CSP 440 operation follow the branch along the no path ifrelationship data is retrieved via the cache engine 410. Stated anotherway, if relationship data is obtained from the cache engine 410, thenthe CSP can still be queried.

In FIG. 8, the determining factor to establish the state for a need toquery CSP 440 operation is based on application specific criteria. Forexample, one manufacturer of a web browser may implement thisconfiguration such that even in the presence of cached relationshipdata, the CSP is always queried to maintain freshness of information.Another manufacturer of a competing web browser may implement thedetermining criteria for the need to query CSP 440 operation such thatif a website is visited again within a twenty-four hour period, the CSPis not queried as long as relationship data is stored in the cache.

A third competing browser manufacturer may implement the determiningcriteria such that its state is controlled by user specified settings,as someone utilizing a low bandwidth connection may want to be moreconservative with CSP queries. The determination of the state of queryin this regard is highly dependent on the scenario of implementation,which is impossible to describe in detail all variations of situationsthat may affect a need to query CSP 440. However, one skilled in the artwill appreciate the flexibility in utilizing a flexible determinationcriteria on implementation, as the example embodiments of the presentinvention are implemented with a vast array of Internet enabled devicesand applications. Such implementation specific designations regardingthe determining criteria for the need to query CSP 440 operation areanalogous to a physical material in the production of a machine suchthat the machine can still function as defined with a variety ofalternative materials.

In FIG. 8, a uniqueness identifier engine 420 may be implemented todetermine the need to query the CSP 440. A uniqueness identifier may beused to establish the uniqueness of a URI within the context ofrelationships. For example, “http://www.house.gov/paul/”, when used asinput during a CSP query may yield a set of relationships specific toevery URI residing on the domain “house.gov.” There may also be one ormore of sets of relationships with a uniqueness identifier indicatingthat specific relationships are specific to URI that are of the form“www.house.gov/paul.”

This uniqueness identifier allows a relationship to indicate a broadcollection of URIs within to associate with one or more relationships. Auniqueness identifier may be implemented as a wild card matching system,such that URI that match the uniqueness identifier as returned by theCSP are considered equivalent. For example, “http://www.house.gov/” and“http://house.gov/” might both match a uniqueness identifier representedas “http://*.house.gov/*” where the asterisk is considered a wild cardcharacter that matches any string of information. Other variations ofthe expression may utilize regular expressions, or other such matchingcapability.

A uniqueness identifier may also be present within the content body of aweb page, or as part of the URI, as a hint to the web browser to performa CSP query. In this situation, the uniqueness identifier is a token ormarker to inform the browser that there may exist relationship dataspecific to that URI such that the browser may perform a CSP query toobtain the URI specific relationship data. For example, a video sharingwebsite may have a particular relationship that gets displayed via therelationship indicator 30. However, a member of that site may have asub-page that would need to display credentials specific to their ownrelationships, such as membership in the screen actors' guild, as anexample.

A CSP query may then provide specific relationship data for a currentlyaccessed URI. Depending on the response from the CSP, the sub-page mayhave either a set of unique credentials, or credentials in addition tothose of the root video web site. If there are unique credentialsassociated with sets of URI, then a response from a CSP may indicate,possibly with a matching scheme, such sets. That is to say that a singleCSP query may indicate specific relationships for a group of URIassociated with one another in the sense that they all share one or moreunique credentials that are not associated with every URI.

To continue with the above example, the end result is that personal andunique credentials are displayed when people view that person's videoson the site. A uniqueness identifier might take the form of a meta-tag,and may look like <meta name=‘unique’ content=‘true’/>. The browser mayapply this as part of a determining criteria if need to query CSP 440should be “yes” or “no.” If relationship data was already queried for aURI with a uniqueness identifier, and that relationship data matches asubsequent URI, then the need to query the CSP 440 may not be necessary.

In continuing the preceding example, an example of such a scenario wouldbe if multiple videos are accessed via corresponding URIs, and each URIcontains a uniqueness identifier, then only one query to the serverneeds to be performed. The server may respond with its own uniquenessidentifier that supersedes identifiers obtained through the URI.

A uniqueness identifier is a way to control CSP queries by establishingwhen queries are necessary, and from that, when they are not necessary.The mechanism for understanding and altering state, the uniquenessidentifier engine 420, may work in conjunction with the cache engine410, such that uniqueness identifiers are cached and used as a mechanismto match URI to relationship data.

In FIG. 8, a network dispersion engine 430, is a mechanism to relievenetwork congestion. A CSP may have data spread across many servers andin various parts of the world. There may be other types of criteria fordata separation, such as redundancy, legality, multiple entities actingas credential service providers, and language support, etc. For example,there may be servers that contain relationship information in thelanguage of Spanish, and so forth for other such languages, essentiallydividing up data among many machines.

Servers may be geographically located as well. As an example, CSPservers with relationships for Japanese companies might be located inTokyo, Japan. In such a distribution of data, a query to the CSP maytake into account various metrics, such as the location of an entity110, from FIG. 5, requesting relationship data, the language the CSPquery is requesting the data to be in, the Internet service provider,etc.

An implementation of a network dispersion engine 430 is such thatdecisions to query a CSP are determined based on specific metrics, asmentioned above. A network dispersion engine 430 residing on a computerwith the system language of en-US may default its CSP query 320 to theCSP server designated as “https://en-US.CSP/” while a network dispersionengine 430 on a computer with a system language of en-GB would defaultits query to “https://en-GB.CSP/.” A CSP response 170, in FIG. 5, maycontain data that serves as input for the network dispersion engine 430.Such input may include providing alternative credential serviceproviders. An example CSP response 170 that contains data as utilized bya network dispersion engine 430 may look like the following:

<response> <relationships for=”sony.jp”> <count>0</count></relationships> <dispersion> <relationships for=”*://sony.jp/*”> <atcount=”3” lang=”ja” csp=”http://tokoyo.csp/” /> <at count=”5’ lang=”en”csp=”http://Washington.csp/”> <list>3342,5517,3847,1356</list> </at><unique total=”43”> <path data=”/corporate/*” /> <pathdata=”/products/*” /> </unique> </relationships> </dispersion></response>.

In the previous CSP response 170 listing, data enclosed in thedispersion tags serve to determine network access by relaying thelocation of relationship information for the domain “sony.jp” as dividedby language. A web browser may use this data as a mechanism fordetermining state for the need to query CSP 440, in FIG. 8. Thedetermination mechanism, as someone skilled in the art would recognize,is dependent on web browser implementation. For example, a web browseron a cell phone may opt to ignore instructions or suggestions to contactother CSP servers due to hard coded limits or user defined specificlimits on network access in order to prevent incurring extra costs dueto the data transfer.

In FIG. 8, a network dispersion engine 430 can work in tandem with acache engine 410 to determine the state regarding a need to query CSP440. The cache engine 410 can store relationship data in multiplelanguages, originating CSP, and various other metrics used by a networkdispersion engine 430. For example, if the network dispersion engine 430sets the state to answer “yes” to the need to query CSP 440 becauserelationship data states that additional relationship information isstored on other servers, the cache engine 410 can set state to answer“no” to the need to query CSP 440 if it has that data locally, oralternatively the cache engine 410 can modify the CSP to contact if somerelationships are cached but others needed to be queried.

In FIG. 8, a network dispersion engine 430 can work in tandem with auniqueness identifier engine 420 to determine state regarding a need toquery CSP 440. A uniqueness identifier may suggest that a URI is uniquein such a way that it would set state to answer yes to a need to queryCSP 440. The network dispersion engine 430 can override a state set bythe uniqueness identifier engine 420 with regard to determining a needto query CSP 440.

Although specific examples were used above in describing the invention,such language should not be construed as limiting the implementation ofthe invention. Various components can be used in various combinationsand in various order, with some components absent and some operationsabsent, yet still comprise the invention as laid forth in the claims.The invention can be implemented in machine readable instructions storedon physical media used to alter the state of a machine. Examples ofphysical media containing machine readable instructions may be CD-ROM,hard disk drives, RAM, ROM, punch cards, flash memory, or other suchmedium suitable for such machine readable instructions. A machinecapable of reading instructions that can alter its state include ageneral purpose processor, a special purpose processor, or other suchcomputable device capable of reading instructions and altering state.

Thus a reader can see that a relationship indicator provides aconvenient mechanism of ascertaining credentials. The invention extendsthe concept of meaningful connections beyond a business to business(B2B) or business to consumer (B2C) connection into a plurality of threeparty systems, such as business to business to business (B2B2B) orbusiness to business to consumer (B2B2C) scenarios. With this invention,consumers utilizing a web browser can now determine credibility ofbusinesses by those businesses' relationships with other businesses.Difficulties regarding the researching of credentials of businesses onthe Internet are reduced by alleviating the requirement of having tofind appropriate authorities. Claims made by entities on the Internetcan be known to be authentic such that the entity represented as issuingthe credential is directly responsible for the presence of the indicatorstating such credential. Consumers and businesses can immediately knowsomething about another business because they know that statedcredentials of that business are authentic, and by familiarity withvarious credentials can identify legitimate entities.

While the above invention contains specific examples or implementations,these should not be construed as limitations on the scope of theinvention, but rather as an exemplification of one preferred embodimentthereof. Many other variations are possible. For example, a web browsercould be designed as a computer program without a traditional userinterface that obtains credential information to be displayed in variouslocations and ways, like an employment website utilizing an OpenIDsolution where the OpenID provider is a University such that the OpenIDURI is used to allow the employment website to determine if the personrepresented by the OpenID URI has a degree as issued by the University,and such that the employment website manifests the relationshipidentifier in such a way unique to their system for various other meansor reporting mechanisms. Stated another way, an employer may see logosnext to potential employees on a website where the logo represents arelationship between the potential employee and various credentialissuers, such as Universities that issue degrees.

What is claimed is:
 1. A method, comprising: accessing, from acredential service provider, a credential made by an issuer entity abouta holder entity, wherein the issuer entity provides the credential tothe credential service provider, wherein the issuer entity, the holderentity, and the credential service provider are separate entities; usinga portion of a uniform resource identifier to access the credential onthe credential service provider, wherein the credential is an issuedcredential between the issuer entity and the holder entity associatedwith the uniform resource identifier; retrieving the issued credentialby forwarding the issued credential from the credential service providerto a web interface; and rendering a representation of the credential, inthe web interface, between the issuer entity and the holder entityassociated with the uniform resource identifier.
 2. The method of claim1, further comprising storing the credential via a cache engine.
 3. Themethod of claim 1, further comprising analyzing tokens to control queryfrequency to the credential service provider via a uniqueness identifierengine.
 4. The method of claim 1, further comprising controlling accessand determining access to the credential service provider via a networkdispersion engine.
 5. The method of claim 2, further comprisinganalyzing tokens to control query frequency to the credential serviceprovider.
 6. The method of claim 2, further comprising controllingaccess and determining access to the credential service provider via anetwork dispersion engine.
 7. The method of claim 1, further comprisingdetermining whether a query is necessary based on a user initiatedaccess operation, and, if so, performing the query, and, if not,determining whether there is relationship data and modifying the webinterface based on the relationship data.
 8. An apparatus, comprising: aprocessor configured to: access, from a credential service provider, acredential made by an issuer entity about a holder entity, wherein theissuer entity provides the credential to the credential serviceprovider, wherein the issuer entity, the holder entity, and thecredential service provider are separate entities; use a portion of auniform resource identifier to access the credential on the credentialservice provider, wherein the credential is an issued credential betweenthe issuer entity and the holder entity associated with the uniformresource identifier; retrieve the issued credential when the issuedcredential is forwarded from the credential service provider to a webinterface; a display with a web interface configured to render arepresentation of the credential, in the web interface, between theissuer entity and the holder entity associated with the uniform resourceidentifier.
 9. The apparatus of claim 8, further comprising a cachedengine configured to store the credential.
 10. The apparatus of claim 8,further comprising a uniqueness identifier engine configured to analyzetokens to control query frequency to the credential service provider.11. The apparatus of claim 8, further comprising a network dispersionengine configured to control access and determine access to thecredential service provider.
 12. The apparatus of claim 9, wherein theprocessor is further configured to analyze tokens to control queryfrequency to the credential service provider.
 13. The apparatus of claim9, further comprising a network dispersion engine configured to controlaccess and to determine access to the credential service provider. 14.The apparatus of claim 8, wherein the processor is further configured todetermine whether a query is necessary based on a user initiated accessoperation, and, if so, perform the query, and, if not, determine whetherthere is relationship data and modify the web interface based on therelationship data.
 15. A non-transitory computer readable storage mediumconfigured to store instructions, that when executed causes a processorto perform: accessing, from a credential service provider, a credentialmade by an issuer entity about a holder entity, wherein the issuerentity provides the credential to the credential service provider,wherein the issuer entity, the holder entity, and the credential serviceprovider are separate entities; using a portion of a uniform resourceidentifier to access the credential on the credential service provider,wherein the credential is an issued credential between the issuer entityand the holder entity associated with the uniform resource identifier;retrieving the issued credential by forwarding the issued credentialfrom the credential service provider to a web interface; and rendering arepresentation of the credential, in the web interface, between theissuer entity and the holder entity associated with the uniform resourceidentifier.
 16. The non-transitory computer readable storage medium ofclaim 15, wherein the processor is further configured to perform storingthe credential via a cache engine.
 17. The non-transitory computerreadable storage medium of claim 15, wherein the processor is furtherconfigured to perform analyzing tokens to control query frequency to thecredential service provider via a uniqueness identifier engine.
 18. Thenon-transitory computer readable storage medium of claim 15, wherein theprocessor is further configured to perform controlling access anddetermining access to the credential service provider via a networkdispersion engine.
 19. The non-transitory computer readable storagemedium of claim 16, wherein the processor is further configured toperform analyzing tokens to control query frequency to the credentialservice provider.
 20. The non-transitory computer readable storagemedium of claim 15, wherein the processor is further configured toperform determining whether a query is necessary based on a userinitiated access operation, and, if so, performing the query, and, ifnot, determining whether there is relationship data and modifying theweb interface based on the relationship data.